Poodle Advisory

Google researchers have uncovered a bug in web-encryption technology that could allow hackers to gain information that could help them gain access to email, banking and other online accounts.

Dubbed Poodle, the threat is said to be less severe than Heartbleed, which sent the security industry into panic earlier this year. Poodle has already received widespread coverage.

The vulnerability is present in web browsers and servers using an old encryption standard called SSL 3.0, which is still used in a small percentage of web traffic. For the vulnerability to be exploited, the attacker would have to be in control of the Internet connection and be able to modify the network traffic between the victim and the web server. Successful exploitation of the vulnerability would give an attacker information – such as secure “cookies” – which could be used to give access to a victim’s bank, social media or online mail accounts without requiring a password.

Disclosures like this illustrate the dependency we have on the software which the majority of the world’s internet services rely upon. Much of it is written and maintained by volunteers and ends up running in servers on the Internet for “compatibility” for many years after the original software was released and the standards it is based on superseded. As a result, when vulnerabilities like this are discovered, they can have far reaching consequences.

There are, of course, huge benefits to open-source software development and even hiccups such as Heartbleed and Shellshock shouldn’t deter its use. It should, however, focus attention on some of the more critical software that is in widespread use today, and already the US Government has announced additional budget for Software Assurance projects aimed at securing open-source code.

Although more focus on finding bugs in OpenSSL, Bash, and other major open-source software is a good thing, it is likely that we’ll see more big disclosures in the coming weeks and months – leading to more fraught days ahead for security teams as they assess exposure to these and rush to patch.

If you are concerned you may have been a victim of a cyber attack contact our Cyber Incident Response Team on:

By submitting this form, with options ticked, you consent to BAE Systems processing your data for profiling and sending you further marketing communications. You may unsubscribe at any time using our preference hub or clicking unsubscribe in our emails. We're committed to protecting the privacy of your personal data. Such personal data is obtained only when voluntarily submitted by you and is subject to provisions in our privacy policy.